Insights
INSIGHTS
All Topics
How to protect against malware-infected downloads
25 Feb 2022by Paul Rubens
Cyber criminals infect popular software products with malware and offer them for download. We look at steps you can take to avoid falling victim to this type of cyber attack
Every time you download and install software on your computer, there’s a risk that you’ll be infecting it with ransomware, spyware, or many other types of malware. This could have catastrophic consequences for your charity.
How can legitimate software be risky? The answer is that someone may have modified it to include malware. Cyber criminals sometimes set up download sites offering software that has been modified maliciously, or they may put modified software on popular legitimate download sites.
There’s also the risk that they manage to hack in to a software developer’s own site and replace the software on offer with infected versions.
So what can be done to protect your charity from downloaded software which has been maliciously modified?
Verifying checksums
One way that software developers can help people avoid downloading modified versions of their products unwittingly is to provide a checksum – also known as a hash – of their software.
A checksum is a short sequence of letters and numbers of a fixed length which is generated by a checksum tool (sometimes called a hashing tool) for any given piece of software.
The key thing to understand is that the checksum generated for one piece of software will be completely different to the checksum generated for the same software if it has been modified in any way at all.
That means that when a developer completes a piece of software, they can use a checksum tool to create a checksum for the software, and publish this checksum on their website.
When you download the software for your charity, from any site anywhere in the world, you can then check that the version you have downloaded has not been modified.
To do this you use a checksum tool to generate a checksum for the software you have downloaded. If the checksum is not identical to the checksum on the developer’s site, this indicates that the software has changed.
It is possible that this is simply due to the software becoming corrupted during the download process and needs to be redownloaded. But it could be a sign of something more sinister: that the software has been deliberately modified by someone to incorporate ransomware or other malicious software.
Checksum tools
There are many checksum tools that you can download free, including:
Windows 10 also includes a built-in checksum tool called Get-FileHash for users familiar with Windows PowerShell. If you don’t know what PowerShell is then Get-FileHash is not for you.
Code signing
If verifying checksums sounds too complicated or too time-consuming, the good news is that it is not always necessary.
That’s because many software vendors add digital signatures to their software. A digital signature is the electronic equivalent of an old fashioned wax seal on an envelope: it proves who the author of a piece of software is, and it also proves that it has not been modified since the digital signature was applied.
How does a digital signature work?
The technology behind digital signatures is complicated, involving modern cryptographic systems, checksums, and entities called Certificate Authorities that carry out administrative work such as checking software developers’ identities.
The end result of all of this technology is that when you start to install a piece of software on your charity’s computer, a window pops up asking if you want to install the software, along with the name of the software developer if the software has a digital signature. If the name of the software developer is exactly what you were expecting then you can be sure that the software is genuine and unmodified.
If the software does not have a digital signature then the window will provide a warning that this is the case. This may be because the software developer has chosen not to add a digital signature (probably because there is usually a cost associated with adding one), or it may indicate that the software has been modified by a cyber criminal.
But in any case it is wise to think twice before installing software which lacks a digital signature (also known as “unsigned code.”) If software that you get from a download site has no digital signature then it is usually worth checking the software developer’s own site to see if a version of the software with a digital signature is available.
Two important things to note:
- Just because a checksum can be verified, or a digital signature is present, this doesn’t prove that a piece of software does not contain malware. It does prove that the software hasn’t been modified since the developer completed it, but there is always the possibility that the program was already infected with malware when the developer completed it
- If cyber criminals hack into a software developer’s website, there is also the possibility that they could also modify the checksum on the website to match the checksum generated by a modified file
For these two reasons you should ensure your charity’s computers are running endpoint protection software which automatically scans downloaded files for malware.
More on this topic
Recommended Products
13 Nov 2024by Laura Stanley
How to stay cyber secure with volunteersSponsored Article
08 Nov 2024by Laura Stanley
Artificial intelligence: Responsible use for charitiesSponsored Article
31 Oct 2024by Laura Stanley
What cyber certification can do for charitiesSponsored Article
Our Events
Charity Digital Academy
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.
© 2022 Charity Digital Trust. All rights reserved
